You have Javascript disabled. While you will be able to browse this site without Javascript, some functionality on this site will not work without it. We strongly recommend enabling Javascript in your browser. This site uses cookies and collects data about visitor behavior for improving user experience, identifying returning visitors, and providing personalized offers. Your continued use of this site indicates your consent to this. See Privacy Policy for details or if you wish to disable cookies.

Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

This site uses cookies and collects data about visitor interaction for improving user experience, identifying returning visitors, and providing personalized offers. Your continued use of this site indicates your consent to this. See Privacy Policy for details or if you wish to disable cookies.

ssh-add - Adding SSH Keys for Single Sign-On

ssh-add is a command for adding SSH private keys into the SSH authentication agent for implementing single sign-on with SSH. The agent process is called ssh-agent; see that page to see how to run it.

The cool thing about ssh-agent and ssh-add is that they allow the user to use any number of servers, spread across any number of organizations, without having to type in a password every time when moving between servers. This is commonly used by system administrators to move among the machine they administer. It is also widely used in universities and research institutions for accessing computing resources. However, it has also lead to proliferation of SSH keys in enterprises, and that is something administrators should be aware of and audit should take steps to address.

Adding Default Keys

In the simplest form, ssh-add can be run without arguments. Used this way, it adds the default keys ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa. ~/ssh/id_ed25519, and ~/.ssh/identity, if they exist.

Adding an Arbitrary Key

To add an arbitrary private key, give the path of the key file as an argument to ssh-add. For example,

ssh-add ~/.ssh/tatu-aws-key

would add the file ~/.ssh/tatu-aws-key.

Keys with Passphrases

If the key being added has a passphrase, ssh-add will run the ssh-askpass program to obtain the passphrase from the user. If the SSH_ASKPASS environment variable is set, the program given by that environment variable is used instead.

Some people use the SSH_ASKPASS environment variable in scripts to provide a passphrase for a key. The passphrase might then be hard-coded into the script, or the script might fetch it from a password vault. However, use of passphrases in this manner does not eliminate the need for proper key lifecycle management and rotation. Instead, we recommend looking at the PrivX On-Demand Access Manager on how to completely eliminate SSH keys in such applications and replace them by short-lived certificates issued on-demand based on centrally managed access policies.

ssh-add Command Line Options

ssh-add accepts the following command line options.

-c Causes a confirmation to be requested from the user every time the added identities are used for authentication. The confirmation is requested using ssh-askpass.

-D Deletes all identities from the agent.

-d Deletes the given identities from the agent. The private key files for the identities to be deleted should be listed on the command line.

-e pkcs11path Remove identities provided using a PKCS#11 interface, identified by the given path to its shared library. PKCS#11 interfaces are typically used for accessing keys on smartcards and hardware security modules (HSM).

-L Lists public key parameters of all identities currently represented by the agent.

-l Lists fingerprints of all identities currently represented by the agent.

-s pkcs11path Adds identities provided by the PKCS#11 shared library at pkcs11path. This is can be used for adding keys on smartcards or in hardware security modules (HSM).

-t life Sets the maximum time the agent will keep the given key. After the timeout expires, the key will be automatically removed from the agent. The value is seconds, but can be suffixed for m for minutes, h for hours, d for days, or w for weeks.

-X Unlocks the agent. This asks for a password to unlock.

-x Locks the agent. This asks for a password; the password is required for unlocking the agent. When the agent is locked, it cannot be used for authentication.